Skip to main content
POST
/
:projectId
/
api
/
v7
/
auth
/
verify-external-user
Verify External User
curl --request POST \
  --url https://api.replyke.com/api/v6/:projectId/api/v7/auth/verify-external-user \
  --header 'Content-Type: application/json' \
  --data '
{
  "userJwt": "<string>"
}
'
{
  "success": true,
  "accessToken": "<string>",
  "refreshToken": "<string>",
  "user": {
    "id": "<string>",
    "foreignId": {},
    "role": "<string>",
    "email": {},
    "name": {},
    "username": {},
    "avatar": {},
    "bio": {},
    "metadata": {},
    "reputation": {},
    "isVerified": {},
    "isActive": {},
    "lastActive": {},
    "suspensions": [
      {}
    ],
    "avatarFile": {},
    "bannerFile": {},
    "authMethods": [
      "<string>"
    ],
    "createdAt": "<string>"
  }
}
Accepts a JWT signed by your own auth system and returns Replyke tokens. If the user does not exist in the project, they are created. If they do exist, their profile is updated with any changed fields from the JWT payload. The JWT must be signed with the RSA private key corresponding to the public key configured in your Replyke project settings.

Body Parameters

userJwt
string
required
A JWT signed with your project’s RSA private key (RS256 algorithm). The payload must include sub (external user ID) and iss (your Replyke project ID). The userData claim may contain optional profile fields.

JWT Payload Structure

The userJwt must contain:
ClaimRequiredDescription
subYesExternal user ID. Stored as foreignId on the Replyke user.
issYesYour Replyke project ID. Must match the request project.
userDataNoObject with optional profile fields (see below).

userData fields

FieldTypeDescription
emailstringEmail address
namestringDisplay name
usernamestringUsername
avatarstringAvatar URL
biostringBio text
locationobject{ latitude, longitude }
birthdatestringISO 8601 date
metadataobjectPublic custom data
secureMetadataobjectPrivate custom data

Response

success
boolean
true on success.
accessToken
string
Short-lived JWT access token. Expires in 30 minutes.
refreshToken
string
Long-lived JWT refresh token. Expires in 30 days.
user
object
The verified or created user’s profile.

Error Responses

{
  "error": "Missing JWT keys",
  "code": "auth/missing-keys"
}
The project does not have a public key configured.
{
  "error": "Invalid token",
  "code": "auth/invalid-token"
}
The JWT signature is invalid or the token is expired.
{
  "error": "Project ID mismatch",
  "code": "auth/project-mismatch"
}
The iss claim in the JWT does not match the request project ID.
{
  "error": "Username already taken",
  "field": "username",
  "code": "DUPLICATE_USERNAME"
}

See Also